bisecting fixing commit since f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a
building syzkaller on 816e0689d7d9d8321f8bf360740f0e516aee15ca
testing commit f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a with gcc (GCC) 8.1.0
kernel signature: 2c25c6caf246ae22978f1955134d4fbf4ddc92dd4fc8bac5b4a018ad2139e042
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing current HEAD c110fed0e606ff922d5cad8ab74ba9410ca41694
testing commit c110fed0e606ff922d5cad8ab74ba9410ca41694 with gcc (GCC) 8.1.0
kernel signature: 9ad89448ef7bfbdde1acc5c1131294a6e2fa9a9fb393892f005cabbe607cae2d
all runs: OK
# git bisect start c110fed0e606ff922d5cad8ab74ba9410ca41694 f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a
Bisecting: 1059 revisions left to test after this (roughly 10 steps)
[5579d7502ff6374d0953691de5bca353e1ba6b30] x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels

testing commit 5579d7502ff6374d0953691de5bca353e1ba6b30 with gcc (GCC) 8.1.0
kernel signature: 872ebd7bf67577c6f3660ee565288be8b24045113a1d34cd4b2d1796da5aa2d6
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good 5579d7502ff6374d0953691de5bca353e1ba6b30
Bisecting: 529 revisions left to test after this (roughly 9 steps)
[ba54b13c835609b3976714d3dde010c57d0fe23e] cifs: fix potential use-after-free in cifs_echo_request()

testing commit ba54b13c835609b3976714d3dde010c57d0fe23e with gcc (GCC) 8.1.0
kernel signature: 61435465e4df176eca8feefd9f5920db8f549c87606f1658cbd912b38dfa618d
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good ba54b13c835609b3976714d3dde010c57d0fe23e
Bisecting: 264 revisions left to test after this (roughly 8 steps)
[531d30493ddb26db900b666dd85b93dd3308b9b0] clk: ti: Fix memleak in ti_fapll_synth_setup

testing commit 531d30493ddb26db900b666dd85b93dd3308b9b0 with gcc (GCC) 8.1.0
kernel signature: 2bd7cc1c0a72e75cc2d7eeba57f7817bb00382a57c9e4e152c2a9b9042a8b9b6
all runs: OK
# git bisect bad 531d30493ddb26db900b666dd85b93dd3308b9b0
Bisecting: 132 revisions left to test after this (roughly 7 steps)
[ecc3960efd13003636238fe877f272f7cadd1707] ARM: p2v: fix handling of LPAE translation in BE mode

testing commit ecc3960efd13003636238fe877f272f7cadd1707 with gcc (GCC) 8.1.0
kernel signature: 989091fffcc799ff160ab8aca91d3025b15e17a20054a62283c2620eb553b467
all runs: OK
# git bisect bad ecc3960efd13003636238fe877f272f7cadd1707
Bisecting: 65 revisions left to test after this (roughly 6 steps)
[1b4ea92e45841e41b20cb96d55a645e7fbb5b82c] ALSA: usb-audio: Fix control 'access overflow' errors from chmap

testing commit 1b4ea92e45841e41b20cb96d55a645e7fbb5b82c with gcc (GCC) 8.1.0
kernel signature: 16837a712725dc956d3bf6582ec76240a304176bd1b07686bc7cf1171437c8a1
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good 1b4ea92e45841e41b20cb96d55a645e7fbb5b82c
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[fe72ad02f8ab634b712a16de8d9c6bd59ee00228] scsi: mpt3sas: Increase IOCInit request timeout to 30s

testing commit fe72ad02f8ab634b712a16de8d9c6bd59ee00228 with gcc (GCC) 8.1.0
kernel signature: 888ebad34af34e18dea5d33c28cc7af3e8507a796ed6b7ab4cc6f9dc69857dec
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good fe72ad02f8ab634b712a16de8d9c6bd59ee00228
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[61490c481c61ff230da5f6042f353c6c0db0bc0c] Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()

testing commit 61490c481c61ff230da5f6042f353c6c0db0bc0c with gcc (GCC) 8.1.0
kernel signature: eafca0542879720d296f0f3a4b5a459a16ee9ae1393babe31f62a9feed94dbca
all runs: OK
# git bisect bad 61490c481c61ff230da5f6042f353c6c0db0bc0c
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[d079263b2ee54eed7534d07f97f32dd17eebc2d7] usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul

testing commit d079263b2ee54eed7534d07f97f32dd17eebc2d7 with gcc (GCC) 8.1.0
kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good d079263b2ee54eed7534d07f97f32dd17eebc2d7
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[c9f589923f03a15402ea1e691e76897be65bb564] coresight: tmc-etr: Check if page is valid before dma_map_page()

testing commit c9f589923f03a15402ea1e691e76897be65bb564 with gcc (GCC) 8.1.0
kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good c9f589923f03a15402ea1e691e76897be65bb564
Bisecting: 1 revision left to test after this (roughly 1 step)
[145b35d22ee296cd19d17333373ca56d206e2848] HID: i2c-hid: add Vero K147 to descriptor override

testing commit 145b35d22ee296cd19d17333373ca56d206e2848 with gcc (GCC) 8.1.0
kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good 145b35d22ee296cd19d17333373ca56d206e2848
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[7a3c3a1c67e00942ae4890281b5b56026650bed8] serial_core: Check for port state when tty is in error state

testing commit 7a3c3a1c67e00942ae4890281b5b56026650bed8 with gcc (GCC) 8.1.0
kernel signature: 03dfee89330b00fbd391364decd9f5afa02a2356ac886f8542fe1007707736a8
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
# git bisect good 7a3c3a1c67e00942ae4890281b5b56026650bed8
61490c481c61ff230da5f6042f353c6c0db0bc0c is the first bad commit
commit 61490c481c61ff230da5f6042f353c6c0db0bc0c
Author: Peilin Ye <yepeilin.cs@gmail.com>
Date:   Wed Sep 9 03:17:00 2020 -0400

    Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
    
    commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream.
    
    `num_reports` is not being properly checked. A malformed event packet with
    a large `num_reports` number makes hci_le_direct_adv_report_evt() read out
    of bounds. Fix it.
    
    Cc: stable@vger.kernel.org
    Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events")
    Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com
    Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01
    Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/bluetooth/hci_event.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

culprit signature: eafca0542879720d296f0f3a4b5a459a16ee9ae1393babe31f62a9feed94dbca
parent  signature: 03dfee89330b00fbd391364decd9f5afa02a2356ac886f8542fe1007707736a8
revisions tested: 13, total time: 2h55m42.199616588s (build: 1h55m35.034236336s, test: 58m54.33522871s)
first good commit: 61490c481c61ff230da5f6042f353c6c0db0bc0c Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com" "yepeilin.cs@gmail.com"]
recipients (cc): []